Opinion: How 2025’s cyber ‘10 days of doom’ exposed the UK supply chain threat

Staff Writers
The hammering UK retailers took in 2025 from cyber security incidents has pushed the subject higher up corporate agendas, write TLT partner Ed Hayes.
News

The hammering UK retailers took in 2025 from cyber security incidents has pushed the subject higher up corporate agendas, writes Ed Hayes, partner at TLT law firm (and ex-Clarks head of legal)…

10 days of doom in late spring that hit Marks and Spencer, the Co-operative Group, and Harrods, focused minds on the consequences of cyber attacks.

With Heathrow Airport, Adidas, H&M, and Jaguar Land Rover among the big retail and leisure sector names also impacted in 2025, the message is stark: cyber risks are real and growing.

While retailers are naturally reticent about disclosing full details of attacks, publicly available information points clearly to supply chain targets. The Adidas incident was an attack on a third-party customer service provider; the Heathrow attack targeted a provider of electronic check-in and baggage services; and an incident hurting deliveries to major supermarkets was an attack on a third party logistics provider.

With the traditional supply chain moving from haulage and warehousing to ecommerce platforms, managed IT providers and POS vendors all connecting into retailers’ systems, the risk has heightened in recent years.

Criminal attackers like supply chains for the same reason as retailers: scale and speed. Compromising one widely used supplier opens routes into dozens of downstream organisations. In light of this, the UK’s National Cyber Security Centre (NCSC) has long pushed organisations to treat suppliers as part of their security perimeter and to manage risk systematically rather than by “tick-box” questionnaires.

What do supply-chain cyber risks look like?

Small supplier, big doorway
A local maintenance contractor with weak security controls can be a route into a retailer’s systems. VPN access, mailbox access, or an API key, is often enough for an attacker to move laterally in a retailer’s IT systems after compromising a single third party.

Abuse of trusted connections
Most retailers run on integrations: EDI links to suppliers, APIs to couriers, single sign-on cloud services, remote support for store systems, etc. An attacker doesn’t need to hack a firewall if it can log in through a legitimate third-party route.

Software compromise
Retail platforms typically depend on third-party components and frequent updates. A compromised update, malicious dependency, or stolen code-signing credential lets an attacker deliver malware straight into a retailer’s production environment cloaked as standard change activity.

Data leak
An initial compromise might be “just” a supplier, but typically the retailer impact is large: loyalty data, customer contact details, employee HR data, or product and pricing strategies, are targets for criminal hackers once they are ‘in’. Most attacks combine service disruption with the threat of publication of customer and staff personal data.

What legal issues does this present?

A retailer’s legal obligations don’t fall away because it is targeted indirectly through a third-party supplier, rather than in an attack on its own systems. If personal data is involved, UK GDPR requires that a retailer has “appropriate technical and organisational measures”, including ensuring the robustness of supply chain partners.

Contracts should set out security expectations, assistance requirements, and incident management protocols. Failing to mandate and check vendors in the supply chain have appropriate security measures, resulting in a data loss, can leave a retailer responsible for ensuing data losses.

For virtually all retailers, focus on payment security is a daily operational reality. PCI DSS v4 introduced new payment card security requirements, effective spring 2025, raising the bar on areas such as authentication, and anti-phishing controls. Any retailer outsourcing payment processing needs confidence in supplier compliance with those standards, and that integration choices don’t leave gaps.

While most retailers are not directly regulated as ‘operators of essential services’ under the Network and Information Systems Regulations 2018, the UK is moving toward stronger oversight of cyber resilience across critical services and their dependencies.

The Government’s Cyber Security and Resilience Bill (introduced November 2025) is framed as reforming and adding to the NIS regime, focusing on supply chain risks and sectors such as managed service providers and data centres. That should have knock-on effects for contract terms, audit rights, and incident response arrangements.

What protections are needed?

Supply chain cyber risk should be treated like any other material business risk: prioritised, measured, and with controls built into commercial processes.

  •  Mapping
    Any retailer needs to understand its supply chain end-to-end, and have clarity on which suppliers can
    affect operations or data. The NCSC has published helpful supply chain guidance, which focuses on
    establishing oversight and control, without expecting perfect knowledge.
  • Minimise access
    A key step is reducing the “blast radius” of an attack by ensuring supplier access is limited to the
    minimum required, time-boxing privileged access, enforcing multi-factor authentication, and
    separating store networks from corporate systems. If retailers assume credentials will be stolen at
    some point and design systems to ensure that one stolen account cannot have wider ramifications,
    cyber risk will be mitigated.
  • Operational contracts
    Too many contracts treat security as an after-thought. Supplier policies and procedures are accepted
    unchecked, specific security controls are not mandated, incident handling protocols are not
    established, unrestricted sub-contracting is permitted, or rights to audit are not included.
  • Evidence not promises
    Retailers should be insisting on independent assurance (e.g., SOC 2 reports, ISO 27001 certification,
    penetration test summaries) of supplier security compliance, and ensuring they have the capability to
    audit and interpret what’s covered
  • Plan for incidents
    The retailers best able to respond to almost inevitable attacks on partners are those that run regular
    exercises that test response to failure at some point in the supply chain. There should be readily
    deployable playbooks including information on isolating integrations quickly, rotating API keys, and
    customer and regulator communications.

Hope for 2026?

One of the few upsides of the awful 2025 that retailers suffered on the cyber threat front is growing awareness of the criticality of supply chain security.

Suppliers are coming to understand the security demands that retailers rightly have, driving improvements in their contractual and operational starting positions.

Supply chain vendors that don’t adapt and improve will be left behind by retailers that can’t afford the cost of cyber risks being baked into their IT systems by third parties. That coincidence of retailer awareness and enhanced supplier offer can materially reduce cyber risk profile.

Click here to sign up to Retail Gazette‘s free daily email newsletter

News

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

News
Staff Writers

Share:

Opinion: How 2025’s cyber ‘10 days of doom’ exposed the UK supply chain threat

The hammering UK retailers took in 2025 from cyber security incidents has pushed the subject higher up corporate agendas, write TLT partner Ed Hayes.

The hammering UK retailers took in 2025 from cyber security incidents has pushed the subject higher up corporate agendas, writes Ed Hayes, partner at TLT law firm (and ex-Clarks head of legal)…

10 days of doom in late spring that hit Marks and Spencer, the Co-operative Group, and Harrods, focused minds on the consequences of cyber attacks.

With Heathrow Airport, Adidas, H&M, and Jaguar Land Rover among the big retail and leisure sector names also impacted in 2025, the message is stark: cyber risks are real and growing.

While retailers are naturally reticent about disclosing full details of attacks, publicly available information points clearly to supply chain targets. The Adidas incident was an attack on a third-party customer service provider; the Heathrow attack targeted a provider of electronic check-in and baggage services; and an incident hurting deliveries to major supermarkets was an attack on a third party logistics provider.

With the traditional supply chain moving from haulage and warehousing to ecommerce platforms, managed IT providers and POS vendors all connecting into retailers’ systems, the risk has heightened in recent years.

Criminal attackers like supply chains for the same reason as retailers: scale and speed. Compromising one widely used supplier opens routes into dozens of downstream organisations. In light of this, the UK’s National Cyber Security Centre (NCSC) has long pushed organisations to treat suppliers as part of their security perimeter and to manage risk systematically rather than by “tick-box” questionnaires.

What do supply-chain cyber risks look like?

Small supplier, big doorway
A local maintenance contractor with weak security controls can be a route into a retailer’s systems. VPN access, mailbox access, or an API key, is often enough for an attacker to move laterally in a retailer’s IT systems after compromising a single third party.

Abuse of trusted connections
Most retailers run on integrations: EDI links to suppliers, APIs to couriers, single sign-on cloud services, remote support for store systems, etc. An attacker doesn’t need to hack a firewall if it can log in through a legitimate third-party route.

Software compromise
Retail platforms typically depend on third-party components and frequent updates. A compromised update, malicious dependency, or stolen code-signing credential lets an attacker deliver malware straight into a retailer’s production environment cloaked as standard change activity.

Data leak
An initial compromise might be “just” a supplier, but typically the retailer impact is large: loyalty data, customer contact details, employee HR data, or product and pricing strategies, are targets for criminal hackers once they are ‘in’. Most attacks combine service disruption with the threat of publication of customer and staff personal data.

What legal issues does this present?

A retailer’s legal obligations don’t fall away because it is targeted indirectly through a third-party supplier, rather than in an attack on its own systems. If personal data is involved, UK GDPR requires that a retailer has “appropriate technical and organisational measures”, including ensuring the robustness of supply chain partners.

Contracts should set out security expectations, assistance requirements, and incident management protocols. Failing to mandate and check vendors in the supply chain have appropriate security measures, resulting in a data loss, can leave a retailer responsible for ensuing data losses.

For virtually all retailers, focus on payment security is a daily operational reality. PCI DSS v4 introduced new payment card security requirements, effective spring 2025, raising the bar on areas such as authentication, and anti-phishing controls. Any retailer outsourcing payment processing needs confidence in supplier compliance with those standards, and that integration choices don’t leave gaps.

While most retailers are not directly regulated as ‘operators of essential services’ under the Network and Information Systems Regulations 2018, the UK is moving toward stronger oversight of cyber resilience across critical services and their dependencies.

The Government’s Cyber Security and Resilience Bill (introduced November 2025) is framed as reforming and adding to the NIS regime, focusing on supply chain risks and sectors such as managed service providers and data centres. That should have knock-on effects for contract terms, audit rights, and incident response arrangements.

What protections are needed?

Supply chain cyber risk should be treated like any other material business risk: prioritised, measured, and with controls built into commercial processes.

  •  Mapping
    Any retailer needs to understand its supply chain end-to-end, and have clarity on which suppliers can
    affect operations or data. The NCSC has published helpful supply chain guidance, which focuses on
    establishing oversight and control, without expecting perfect knowledge.
  • Minimise access
    A key step is reducing the “blast radius” of an attack by ensuring supplier access is limited to the
    minimum required, time-boxing privileged access, enforcing multi-factor authentication, and
    separating store networks from corporate systems. If retailers assume credentials will be stolen at
    some point and design systems to ensure that one stolen account cannot have wider ramifications,
    cyber risk will be mitigated.
  • Operational contracts
    Too many contracts treat security as an after-thought. Supplier policies and procedures are accepted
    unchecked, specific security controls are not mandated, incident handling protocols are not
    established, unrestricted sub-contracting is permitted, or rights to audit are not included.
  • Evidence not promises
    Retailers should be insisting on independent assurance (e.g., SOC 2 reports, ISO 27001 certification,
    penetration test summaries) of supplier security compliance, and ensuring they have the capability to
    audit and interpret what’s covered
  • Plan for incidents
    The retailers best able to respond to almost inevitable attacks on partners are those that run regular
    exercises that test response to failure at some point in the supply chain. There should be readily
    deployable playbooks including information on isolating integrations quickly, rotating API keys, and
    customer and regulator communications.

Hope for 2026?

One of the few upsides of the awful 2025 that retailers suffered on the cyber threat front is growing awareness of the criticality of supply chain security.

Suppliers are coming to understand the security demands that retailers rightly have, driving improvements in their contractual and operational starting positions.

Supply chain vendors that don’t adapt and improve will be left behind by retailers that can’t afford the cost of cyber risks being baked into their IT systems by third parties. That coincidence of retailer awareness and enhanced supplier offer can materially reduce cyber risk profile.

Click here to sign up to Retail Gazette‘s free daily email newsletter

Social

LinkedIn
RSS


SUBSCRIBE TO OUR DAILY NEWSLETTER

  • This field is for validation purposes and should be left unchanged.

Most Read

News

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

RELATED STORIES

Most Read

Latest Feature


Menu


Close popup

Please enter the verification code sent to your email: